Brute force attacks and locking user accounts

User accounts are a vector for malicious attacks for many reasons, from impersonation to collecting personally identifiable information (PII). One method is a "brute force" attack, where a script will attempt many different passwords to log into an account. One line of defense against these attacks is to temporarily deny attempts to log into accounts that attempt too many failed logins in a short period of time. Locking out login attempts disrupts the attack and makes the account a less attractive target.

How Clerk protects against brute force attacks

Account Lockout is a Clerk feature that enables you to protect your users from brute-force attacks on static credentials such as passwords or backup codes. If enabled on your instance, Clerk will automatically track users' failed verification attempts when they try to authenticate via password on backup code.

How Account Lockout works

If the maximum allowed attempts are reached, the user will be locked out from signing in again until the lockout duration lapses. Lockout can also be configured to never expire, in which case the user will not be able to sign in unless an admin unlocks them.

An admin can unlock a user before the expiry of the lockout period via the Clerk Dashboard.

Defaults

By default, Clerk applications will lock user accounts after 100 failed login attempts and require a one hour cool down period before anyone can attempt to log into that account again. (While 100 attempts may seem like a lot to a human, it is very easy to reach this maximum for a bot!)

You can customize the number of times a login can be attempted before the account is locked, and how long lockouts last.

What a locked out user sees

When a user exceeds the maximum login attempts, the Clerk <SignIn /> component will inform them of how long they have been locked out for and to contact support for more information.

Last updated on November 30, 2023